AMLA Flags Crypto AML Risks as MiCAR Deadline Passes
The EU’s Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) published an advisory note on 29 June 2026 warning that the end of the MiCAR transitional period is creating new money laundering and terrorist financing risks across the bloc’s crypto-asset sector. The transitional arrangement expired on 1 July 2026, and from that date only firms authorised under the Markets in Crypto-Assets Regulation (MiCAR) as crypto-asset service providers, or CASPs, may legally operate in the EU.
The grandfathering arrangement stems from Article 143(3) of Regulation (EU) 2023/1114, according to AMLA’s advisory note, and had allowed crypto-asset service providers operating under applicable national law before 30 December 2024 to keep trading while they sought authorisation. Unauthorised virtual asset service providers, or VASPs, must now wind down or cease EU operations, while their customers migrate to a smaller pool of authorised CASPs. AMLA’s note sets out risks and mitigation measures across four groups: unauthorised VASPs exiting the market, authorised CASPs absorbing new customers, AML/CFT supervisors overseeing the transition, and financial intelligence units tracking the resulting fund flows.
For authorised CASPs, AMLA warns that onboarding customers from unauthorised VASPs can produce materially different risk profiles, including a concentration of higher-risk customers among the CASPs that remain in the market. The note adds that rapid customer inflows may strain transaction monitoring systems and compliance resources, requiring firms to adjust staffing and system capacity to keep managing ML/TF risk effectively as volumes rise.
AMLA describes the broader market reconfiguration as having a material impact on the functioning of the EU crypto-asset ecosystem, pointing to compressed wind-down timelines, concentration of activity among fewer authorised CASPs, and reduced transparency during exits as conditions that could be exploited to conceal illicit fund movements or evade sanctions. The note also flags new supervisory blind spots, since customer transfers and risk migration are happening simultaneously across jurisdictions with differing national wind-down frameworks, along with new typologies that financial intelligence units may need to track as asset bases move across multiple CASPs.
AMLA’s advisory is explicit that customers migrating from unauthorised VASPs should not face blanket de-risking, but instead individual risk assessments under a risk-based approach, with enhanced due diligence applied only where warranted. That guidance points to a structural strain: CASPs absorbing large volumes of new customers within a compressed timeframe need onboarding and transaction-monitoring systems that can scale quickly, without either defaulting to wholesale rejections or missing the elevated-risk profiles the note warns about.
Meeting that standard requires identity verification and AML screening infrastructure built to absorb volume spikes without slowing onboarding or resorting to blanket refusals. Shufti’s AML screening checks incoming customers against global sanctions, PEP, and adverse media watchlists, while its KYC and crypto solutions cover onboarding across 240+ countries and territories, supporting the kind of individual, risk-based assessment AMLA’s note calls for. CASPs adjusting their compliance stack as the EU crypto market consolidates can request a demo to see how the platform handles onboarding at scale.
